On February 12, 2025, another draft amendment to the Law on the National Cyber Security System, dated February 7, 2025, was published on the website of the Government Legislation Center. The new version makes changes to, among other things, the classification of public entities and the requirements placed on them. The draft maintains the existing requirements for private entities.
Public entities divided into key and important
One of the most significant changes is the distinction between key and important public entities. Previously, all public entities were treated as key, which meant equivalent cyber security requirements for them. The new version of the draft divides public entities into key and important. Important entities include local government budget units, budgetary establishments and cultural institutions, among others, which means they will be subject to less stringent requirements than public entities classified as key entities.
Information security management system on different principles
Recall that Article 8 of the draft law requires key and important entities to implement an information security management system providing detailed criteria. In contrast, the current amendment for public important entities introduces an obligation to implement a simplified information security management system, the details of which are described in the new Annex 4 to the Law.
Public entities important with fewer responsibilities
Under the amendment, publicly important entities will have simplified incident reporting obligations. In practice, this means that they will be required to report only those violations that actually affect their operations. They will not be obliged to provide early warnings, an interim report and a final report.
Public entities can act together
The amendment to the KSC also clarifies the rules of cooperation between public entities operating information systems to carry out the public task of cyber security. This is an important change for public entities, as it allows them to designate the entity responsible for carrying out their duties under the law. Local government entities can enter into an agreement to entrust one of them with the implementation of the designated statutory duties. This is a very beneficial change for public entities, which can guarantee more effective and consistent action in the sphere of cyber security.
More powers for the Minister of Digitization
The draft amendment changes the rules for the application of supervisory measures over key entities. The Minister of Digitization is given the power to suspend or restrict a key entity’s license, suspend its activities, or even prohibit it from performing management functions if the entity fails to implement administrative orders or decisions. In earlier versions of the draft, the cybersecurity authority had no such independent powers.
Smaller financial penalties for entity managers
Another important change is the reduction of the maximum financial penalty for managers of key and important entities. The amendment to the KSC provides for a reduction in sanctions from 600% to 300% of salary, with the aim of bringing them in line with real financial possibilities. The introduction of this change is intended to prevent situations in which excessive penalties could discourage cyber security efforts.
Legislative process – adoption of the draft by the Committee for European Affairs
Following the completion of work on the draft, on February 13, 2025. The Committee on European Affairs adopted the draft law on amendments to the Law on KSC and certain other laws by circulation. Confirmation of the adoption came with a memorandum of divergence.
The Committee recommended that the project be referred to the Standing Committee of the Council of Ministers for consideration after submission by the Minister of Digitization. This means that the project is at the next stage of the legislative procedure and is awaiting further decisions by government bodies
Summary
The amendment to the KSC, i.e. the Law on the National Cyber Security System, is part of the implementation of the NIS2 Directive into Polish law. The directive’s provisions require member states to increase the resilience of critical infrastructure and implement effective mechanisms for responding to cyber threats.
However, legislation alone is not enough to effectively protect public and private entities from attacks. A comprehensive approach to security that includes appropriate procedures, technologies and systematic monitoring of threats is crucial. All entities should implement solutions tailored to their specific needs, rather than relying solely on regulatory compliance.
Aligning Poland’s cyber security system with NIS2 is a step toward better protection of infrastructure and key services. However, in order for the new regulations to be effective, they need to be supported by investments in modern security systems and the development of employees’ competencies.
Check if you are ready for the NIS2 directive and KSC changes? Get in touch with us!
